Let's take a step back. Many of us chimed in to help and it might got confusing, apologies. The latest error you get now isn't related to the changes I suggested, but to the changes you did due to what Tim was suggesting, which unfortunately weren't enough to address his points.
It doesn't. What you have done now is configure ADFS to release a NameID without a format. This is again almost always wrong. You don't have to use a NameID, but if you do, you need to configure it correctly. We can't help you much with your ADFS configuration, but you need to
- either figure out how to release a NameID with persistent format ( based on the value of some attribute ) and configure elasticsearch to map this to the principal property
- or use any other attribute to map to the principal property. I.e. UPN
The possibilities for correct configuration are many and there isn't a better/simple/only one I can suggest. So I'll suggest one that works and feel free to alter this to your liking.
-
Configure ADFS to release a persistent NameID. There's enough ADFS related documentation around this, i.e. see Name Identifiers in SAML assertions | Microsoft Learn and check the section with subtitle " Persistent name identifier". You need to select which value AD you would pass as the value of the NameID ( == what you should select for `Incoming claim type" in the screenshot ), UPN is a good candidate.
-
Change
nameid_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedtonameid_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistentin your configuration. -
Leave everything else as is.